Multiple Cisco products incorporate a version of the OpenSSL package affected by a vulnerability that could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.

The vulnerability is due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or Datagram Transport Layer Security (DTLS) client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. An exploit could send a specially crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.

Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected.

Customers interested in tracking the progress of any of the following bugs can visit the Cisco Bug Search Tool to view the defect details and optionally select Save Bug and activate the Email Notification feature to receive automatic notifications when the bug is updated.

NOTE: the following list includes Cisco applications that are intended to be installed on a customer-provided host (either a physical server or a virtual machine) with a customer-installed operating systems. Those products may use the Transport Layer Security (TLS) or Datagram Transport Layer Security (DTLS) functionality as provided by the host operating system on which the Cisco product is installed. While those Cisco products do not directly include an affected version of openssl (and hence they are not impacted by this vulnerability), Cisco recommends customers to review their host operating system installation and perform any upgrades necessary to address this vulnerability, according to the operating system vendor recommendations and general operating system security best practices.

The following Cisco products have been analyzed and are not affected by this vulnerability:

A vulnerability in the Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) heartbeat functionality in OpenSSL used in multiple Cisco products could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.

The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2014-0160

The criteria used to establish whether a Cisco product or service is vulnerable is solely whether it relies on an affected version of the OpenSSL library in order to implement a TLS/DTLS client or server. The criteria does not restrict the analysis to any specific set of protocols that the client or server may implement (eg: HTTPS, SMTP, EAP, etc.).
Based on this criteria the products that are listed in this security advisory as not vulnerable are such no matter which attack vector an attacker may attempt to use to exploit Heartbleed.

The Cupid attack exploits the Heartbleed bug using the EAP protocol as an attack vector to target the TLS layer in EAP-TLS. The products that are listed in this security advisory that are not vulnerable to the Heartbleed vulnerability are also unaffected by the Cupid attack.

The impact of this vulnerability on Cisco products may vary depending on the affected product.

Given the unique characteristics of the Heartbleed vulnerability, Cisco recommends customers to generate new public/private key pairs, obtain a new certificate for that key pair, and install the new certificate and associated key pair as appropriate on all affected deployments after installing the software updates. This is general advice appropriate for Cisco and non-Cisco devices.

For Cisco products, please refer to the information provided in the Cisco bug IDs, listed in the Affected Products section of this document. Additional information and detailed instructions on how to perform those tasks are available on the Cisco installation, configuration and maintenance guides for each product. If additional clarification or advice is needed, please contact your support organization.

The following products leverage the Small cell factory recovery root filesystem V2.99.4 or later. The factory recovery root filesystem is not stored in flash but is downloaded from Cisco USC CloudBase and only used for the duration of the activation/recovery process. OpenSSL is called by the cURL application, which is itself called from a shell script so a malicious user would have no exposure to any Cisco proprietary code and the memory space of the cURL process would not contain any private keys:

DPH-SO16 (Cisco, formerly Ubiquisys)

FAPE-HSP-5620 (OEM)

FAPO-HSP-5900 (OEM)

FAPR-HSP-5110 (OEM)

FC1020 (Cisco, formerly Ubiquisys)

FC1021 (Cisco, formerly Ubiquisys)

FC1022 (Cisco, formerly Ubiquisys)

FC1060 (Cisco, formerly Ubiquisys)

FC1080 (Cisco, formerly Ubiquisys)

FC170U (Cisco, formerly Ubiquisys)

FC173U (Cisco, formerly Ubiquisys)

FC233U (Cisco, formerly Ubiquisys)

FC235U (Cisco, formerly Ubiquisys)

FC270U (Cisco, formerly Ubiquisys)

FEMTO-G3 (Cisco, formerly Ubiquisys)

FEMTOAP-SR1 (Cisco, formerly Ubiquisys)

FEMTOAP-SR2 (Cisco, formerly Ubiquisys)

FMA16301T (OEM)

FP16201 (OEM)

FP8101 (OEM)

FP8131T (OEM)

FPA16241T (OEM)

FPLUS2 (Cisco, formerly Ubiquisys)

G5 (Cisco, formerly Ubiquisys)

G6 (Cisco, formerly Ubiquisys)

S2000 (OEM)

SH170U (Cisco, formerly Ubiquisys)

SH173U (Cisco, formerly Ubiquisys)

USC3331 (Cisco)

USC5310 (Cisco)

USC5330 (Cisco)

USC7330 (Cisco)

USC9330 (Cisco)

ZM-000-05-0005 (Cisco, formerly Ubiquisys)

ZP-000-05EU-0004 (Cisco, formerly Ubiquisys)

ZP-000-07EU-0001 (Cisco, formerly Ubiquisys)

ZP-001-03EU-0003 (Cisco, formerly Ubiquisys)

ZP-001-03EU-0005 (Cisco, formerly Ubiquisys)

ZP-001-03EU-0006 (Cisco, formerly Ubiquisys)

ZP-005-02EU-0002 (Cisco, formerly Ubiquisys)

Cisco Universal Small Cell 5000 Series and Cisco Universal Small Cell 7000 Series

A malicious user cannot get the private key of the Universal Small Cell (USC) product as the private keys are held in a separate protected memory space; however, the malicious user may be able to access memory containing the Small Cell internal O&M database and configuration details.

Cisco Collaboration Systems 10.x:

Cisco Unified Communications Manager (UCM) version 10.0, Cisco Unity Connection (UC) version 10.0, and Cisco Unified Presence Server (CUPS) version 10.0 are affected by the OpenSSL vulnerability described in this advisory. An unauthenticated, remote attacker with the ability to open a TCP connection to an affected port may exploit the vulnerability. Successful exploitation may allow the attacker to disclose potentially sensitive information.

Cisco voice and presence devices open a number of service ports to accept connections from users, administrators, phones, and IP voice gateways. A majority of these services are secured utilizing SSL or TLS and may be leveraged by an attacker to exploit the vulnerability.

An unauthenticated, remote attacker with the ability to reach the Web Management interface when enabled, or that can place a direct secure SIP call to the device may trigger the vulnerability. Successful exploitation may allow the attacker to disclose potentially sensitive information.

Voice networks that have been deployed using Cisco Secure Configuration Guidelines are at a reduced risk from outside attackers. Phones that have been segmented from the common use network should restrict the attack surface to other phones and users who have direct access to the voice network.

Cisco Desktop Collaboration Experience:

Cisco Desktop Collaboration Experience DX650 devices may be exposed via the secure Web Management Interface when enabled. These devices may also be exploited via secure SIP, secure RTP, as well as any other application installed on the device that utilizes the system-supplied OpenSSL library.

An unauthenticated, remote attacker with the ability to reach the Web Management interface when enabled can place a direct secure SIP call to the device, or access an affected service may trigger the vulnerability. Successful exploitation may allow the attacker to disclose potentially sensitive information.

Voice networks that have been deployed using Cisco Secure Configuration Guidelines are at a reduced risk from outside attackers. Phones that have been segmented from the common use network should restrict the attack surface to other phones and users who have direct access to the voice network.

Voice Networks Security Hardening Guidelines:

Cisco provides a comprehensive design guide for all voice network deployments. This includes suggested security feature configurations on intermediate and edge devices to prevent spoofed traffic from being passed on the voice network as well as the isolation and segregation of voice traffic from general network traffic. Security information for Cisco Collaboration Systems 10.x is available at the following link: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/security.html

Cisco AnyConnect Secure Mobility Client for iOS

This vulnerability does not affect the versions of Cisco AnyConnect Secure Mobility Client released for devices running iOS 5 or earlier.

Cisco IOS XE Software

Cisco IOS XE Software Release

First Fixed Release

2.x.x

Not vulnerable

3.1.xS

Not vulnerable

3.1.xSG

Not vulnerable

3.2.xS

Not vulnerable

3.2xSE

Not vulnerable

3.2.xSG

Not vulnerable

3.2.xXO

Not vulnerable

3.2.xSQ

Not vulnerable

3.3.xS

Not vulnerable

3.3.xSE

Not vulnerable

3.3xSG

Not vulnerable

3.3xXO

Not vulnerable

3.3xSQ

Not vulnerable

3.4.xS

Not vulnerable

3.4.xSG

Not vulnerable

3.5.xS

Not vulnerable

3.5.xE

Not vulnerable

3.6.xS

Not vulnerable

3.6.xE

Not vulnerable

3.7.xS

Not vulnerable

3.8.xS

Not vulnerable

3.9.xS

Not vulnerable

3.10.xS

Not vulnerable

3.11.xS

Vulnerable

3.12.xS

Vulnerable

3.12.0aS

Not vulnerable

3.11.2S

Not vulnerable

Cisco Nexus 1000V Switch for VMware vSphere

The product was initially reported as vulnerable; however, upon additional review it was ascertained that no published releases are vulnerable to this issue.

Once individual products are triaged, Cisco will score the vulnerable devices with the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this security advisory is in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability severity and helps organizations determine the urgency and priority of a response.

Cisco has provided a base and temporal score. Customers can also compute environmental scores that help determine the impact of the vulnerability in their own networks.

The impact of this vulnerability on Cisco products varies depending on the affected product. Successful exploitation of the vulnerability may cause portions of memory from a client or server to be disclosed. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.

When considering software upgrades, customers are advised to consult the Cisco Security Advisories, Responses, and Notices archive at http://www.cisco.com/go/psirt and review subsequent advisories to determine exposure and a complete upgrade solution.

In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

This section will be updated when information about fixed software versions is available.

Cisco AnyConnect Secure Mobility Client for iOS

Fixed in version 3.0.09353 and available for download on the App Store for devices running iOS version 6 or 7.

Cisco WebEx Meetings Server

Fixed in version 2.0MR2

Cisco TelePresence Video Communication Server (VCS)

Fixed in version X7.2.3 and X8.1.1

Cisco Expressway Series

Fixed in version X8.1.1

Cisco FireAMP Private Cloud Virtual Appliance

Fixed in version 1.0.20140409

After the update:
In order to further secure the Private Cloud instance, it is recommended that customers, after having completed the software update, replace any existing certificates on the appliance:

Customers using certificates other than self-signed certificates should procure and install new certificates. Those certificates should be generated using a new private/public key pair. Customer should NOT reuse the previous public/private keypair. Once replaced, putting the device in and out of maintenance mode will ensure that the new certificates are loaded.

Customers using the default self-signed certificates should generate new certificates after performing the FireAMP Private Cloud update by executing the following commands:

This will regenerate the SSL certificates and restart all of the services.

Additionally, customers should reset all passwords (opadmin and fireamp console) and perform a review of the audit logs in both portals.

Cisco SourceFire

Cisco SourceFire 3D Appliances (running release 4.10.x and 5.x up to 5.3) and Cisco SourceFire SSL appliances are not vulnerable to this issue. These appliances run the 0.9.8 branch of OpenSSL which is not affected by this vulnerability.

For additional information regarding detection, please visit the VRT blog. If you have any questions, please contact Sourcefire Technical Support.

Small Cell Factory Recovery root Filesystem

Fixed software has been deployed to the Cisco USC CloudBase for all FAPs, except the following Products, which are currently in the planning phases of being updated: FPLUS2-000X, G5-000X, G6-000X Series, FEMTOAP-SR1-000X and FEMTOAP-SR2-000X.

Cisco will release free software updates that address the vulnerability described in this advisory. Prior to deploying software, customers are advised to consult their maintenance providers or check the software for feature set compatibility and known issues that are specific to their environments.

Customers with Cisco products that are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers, should contact that organization for assistance with the appropriate course of action.

The effectiveness of any workaround or fix depends on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Because of the variety of affected products and releases, customers should consult their service providers or support organizations to ensure that any applied workaround or fix is the most appropriate in the intended network before it is deployed.

Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco Technical Assistance Center (TAC):

+1 800 553 2447 (toll free from within North America)

+1 408 526 7209 (toll call from anywhere in the world)

email: tac@cisco.com

Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Customers without service contracts should request free upgrades through the TAC.

The Cisco Product Security Incident Response Team (PSIRT) is aware that multiple scanning attempts and potentially successful exploitations of the vulnerability described in this advisory are being widely discussed; however, Cisco is not aware of any exploitation of Cisco products or services.

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. Upon further investigation the Cisco Edge 300 Digital Media Player was moved to the Products Confirmed Not Vulnerable section.

Revision 1.20

2014-May-09

Updated the Affected Products, Vulnerable Products, and Products Confirmed Not Vulnerable sections. The Cisco Partner Support Services service was moved to the Products Confirmed Not Vulnerable section.